Data security breaches happen daily in too many places at once to keep count. But what constitutes a huge breach versus a small one? For some perspective, we take a look at 10 of the biggest incidents in recent memory. Helping us out are security practitioners from a variety of industries, including more than a dozen members of LinkedIn’s Information Security Community, who provided nominations for the list.
By Taylor Armerding and Bill Brenner, CSO
Date: March 2008
Impact: 134 million credit cards exposed through SQL injection to install spyware on Heartland’s data systems.
A federal grand jury indicted Albert Gonzalez and two unnamed Russian accomplices in 2009. Gonzalez, a Cuban-American, was alleged to have masterminded the international operation that stole the credit and debit cards. In March 2010 he was sentenced to 20 years in federal prison.
Date: March 2011
Impact: Possibly 40 million employee records stolen.
The impact of the cyber attack that stole information on the company’s SecurID authentication tokens is still being debated. The company said two separate hacker groups worked in collaboration with a foreign government to launch a series of spear phishing attacks against RSA employees, posing as people the employees trusted, to penetrate the company’s network. EMC reported last July that it had spent at least $66 million on remediation. But according to RSA executives, no customers’ networks were breached. John Linkous, vice president, chief security and compliance officer of eIQnetworks, Inc. doesn’t buy it.
Date: Sometime in 2010, but origins date to 2007
Impact: Meant to attack Iran’s nuclear power program, but will also serve as a template for real-world intrusion and service disruption of power grids, water supplies or public transportation systems.
The immediate effects of Stuxnet were minimal — at least in this country — but eIQnetworks’ John Linkous ranks it among the top large-scale breaches because, “it was the first that bridged the virtual and real worlds. When a piece of code can have a tangible effect on a nation, city or person, then we’ve truly arrived in a strange, new world,” he says. Linkous says Stuxnet is proof that nation-states, “are definitely actors — both attackers and victims — in the cyberwarfare game.” He adds that the more that electro-mechanical industrial and energy systems migrate to larger networks — particularly the Internet — “the more we’re going to see these real-world intrusions.”
Date: May 2006
Impact: An unencrypted national database with names, Social Security numbers, dates of births, and some disability ratings for 26.5 million veterans, active-duty military personnel and spouses was stolen.
The breach pointed once again to the human element being the weakest link in the security chain. The database was on a laptop and external hard drive that were both stolen in a burglary from a VA analyst’s Maryland home. The analyst reported the May 3, 2006 theft to the police immediately, but Veterans Affairs Secretary R. James Nicholson was not told of it until May 16. Nicholson informed the FBI the next day, but the VA issued no public statement until May 22. An unknown person returned the stolen items June 29, 2006. The VA estimated it would cost $100 million to $500 million to prevent and cover possible losses from the theft.
Date: April 20, 2011
Impact: 77 million PlayStation Network accounts hacked; Sony is said to have lost millions while the site was down for a month.
This is viewed as the worst gaming community data breach of all-time. Of more than 77 million accounts affected, 12 million had unencrypted credit card numbers. According to Sony it still has not found the source of the hack. Whoever they are gained access to full names, passwords, e-mails, home addresses, purchase history, credit card numbers, and PSN/Qriocity logins and passwords. “It’s enough to make every good security person wonder, ‘If this is what it’s like at Sony, what’s it like at every other multi-national company that’s sitting on millions of user data records?’” says eIQnetworks’ John Linkous. He says it should remind those in IT security to identify and apply security controls consistently across their organizations. For customers, “Be careful whom you give your data to. It may not be worth the price to get access to online games or other virtual assets.”
Date: December 2010
Impact: Compromised e-mail addresses and passwords of about 1.3 million commenters on popular blogs like Lifehacker, Gizmodo, and Jezebel, plus the theft of the source code for Gawker’s custom-built content management system.
Online forums and blogs are among the most popular targets of hackers. A group calling itself Gnosis claimed responsibility for the attack, saying it had been launched because of Gawker’s “outright arrogance” toward the hacker community. “They’re rarely secured to the same level as large, commercial websites,” says the KNOS Project’s Kevin McAleavey, who adds that the main problem was that Gawker stored passwords in a format that was very easy for hackers to understand. “Some users used the same passwords for email and Twitter, and it was only a matter of hours before hackers had hijacked their accounts and begun using them to send spam,” says McAleavey.
Impact: Stolen intellectual property
In an act of industrial espionage, the Chinese government launched a massive and unprecedented attack on Google, Yahoo, and dozens of other Silicon Valley companies. The Chinese hackers exploited a weakness in an old version of Internet Explorer to gain access to Google’s internal network. It was first announced that China was trying to gather information on Chinese human rights activists. It’s not known exactly what data was stolen from the American companies, but Google admitted that some of its intellectual property had been stolen and that it would soon cease operations in China. For users, the urgent message is that those who haven’t recently updated their web browser should do so immediately.
Date: Throughout 2010
Impact: Undisclosed information stolen
Security experts are unanimous in saying that the most troubling thing about the VeriSign breach, or breaches, in which hackers gained access to privileged systems and information, is the way the company handled it — poorly. VeriSign never announced the attacks. The incidents did not become public until 2011, through a new SEC-mandated filing. “How many times were they breached?” asks eIQnetworks’ John Linkous. “What attack vectors were used? The short answer is: we don’t know. And the response to that is simply: we should.”
Date: August 6, 2006
Impact: Data on more than 20 million web inquiries, from more than 650,000 users, including shopping and banking data were posted publicly on a web site.
In January 2007, Business 2.0 Magazine ranked the release of the search data in among the “101 Dumbest Moments in Business.” Michael Arrington, a lawyer and founder of the blog site TechCrunch, posted a comment on his blog saying, “The utter stupidity of this is staggering.” AOL Research, headed by Dr. Abdur Chowdhury, released a compressed text file on one of its websites containing 20 million search keywords for more than 650,000 users over a three-month period. While it was intended for research purposes, it was mistakenly posted publicly. AOL pulled the file from public access by the next day, but not before it had been mirrored and distributed on the Internet
Date: August 2007
Impact: Confidential information of 1.3 million job seekers stolen and used in a phishing scam.
Hackers broke into the U.S. online recruitment site’s password-protected resume library using credentials that Monster Worldwide Inc. said were stolen from its clients. Reuters reported that the attack was launched using two servers at a Web-hosting company in Ukraine and a group of personal computers that the hackers controlled after infecting them with a malicious software program. The company said the information stolen was limited to names, addresses, phone numbers and e-mail addresses, and no other details, including bank account numbers, were uploaded. But one problem was that Monster learned of the breach on Aug. 17, but didn’t go public with it for five days.